What is claimed is: 



5 1. A hybrid hardware/software packet filter 

comprising: 

rule compiling means for assembling packet acceptance 
rules and creating a rule table, and outputting said 
rule table; 

10 a configurable hardware circuit receiving said 

rule table and creating hardware circuits representing 
said rule table for applying said rule table to said 
packet and outputting a match bit vector indicating 
whether said packet matched a corresponding entry in 

15 said rule table; 

linking means receiving said match bit vector for 
linking said match bit vector with said corresponding 
entry in said rule table and for directing said packet 
to a destination determined by said rule table. 
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2. The hybrid software/hardware packet filter as 
described in Claim 1, wherein said configurable 
hardware circuit is mapped onto a Field Programmable 
Gate Array. 

3. The hybrid software/hardware packet filter as 
described in Claim 1, wherein said rule compiler means 
also outputs a Hardware Description Language entity 
definition . 

4. The hybrid software/hardware packet filter as 
described in Claim 3, wherein said Hardware 
Description Language Description entity definition 
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comprises a Very High Speed Integrated Circuit 
Hardware Description Language Description. 

5. The hybrid software/hardware packet filter as 
described in Claim 3 f wherein said Hardware 
Description Language Description entity definition 
comprises Verilog. 

6. The hybrid software/hardware packet filter as 
described in Claim 1, wherein said destination 
includes logging or an alert being generated in the 
case of suspicious packets. 

7. A method of filtering incoming packets comprising 
the steps of: 

compiling a set of rules to be applied to 
incoming packets; 

configuring hardware to create circuits 
representative of said set of rules; 

comparing said incoming packets with said 
circuits representative of said set of rules; 

outputting a single bit indicative of whether a 
packet is accepted or rejected; 

linking said single bit with a rule table; and 

directing said incoming packets to destinations 
determined by said rule table. 

8. The method as described in Claim 7, wherein said 
step of configuring hardware includes a VDHL entity 
definition. 



9. The method as described in Claim 7 , wherein said 



directing step includes directing said incoming 
packets to destinations where suspicious packets are 
logged. 

10. The method as described in Claim 7, wherein said 
directing step includes directing said incoming 
packets to destinations where suspicious packets cause 
an alert of some type to be generated. 
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